Developers' names, mailing, and e-mail addresses "may have been accessed."

Share this story

Since Thursday, registered Apple developers trying to download OS X 10.9, iOS 7, or any other Apple software from the company's developer portal have been greeted with a notice that the site was down for "maintenance." Today, the company issued a brief statement (above) blaming the extended outage on an "intruder," and that Apple "[has] not been able to rule out the possibility that some developers’ names, mailing addresses, and/or e-mail addresses may have been accessed."

The notice says that "sensitive" information could not be accessed by the intruder because it was encrypted, and the company told MacWorld that the system in question is not used to store "customer information," application code, or data stored by applications. Anecdotal reports (including one from our own Jacqui Cheng) point to a sudden spike in password reset requests for some Apple IDs, suggesting that e-mail addresses have in fact been accessed and distributed but that passwords were not. In any case, we generally recommend that users change their passwords when any breach (or suspected breach) like this occurs.

"In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database," the statement said. Apple has also given week-long extensions to any developers whose program subscriptions were scheduled to lapse during the outage, which will keep those developers' applications from being delisted in Apple's various App Stores.

Share this story

Andrew Cunningham
Andrew wrote and edited tech news and reviews at Ars Technica from 2012 to 2017, where he still occasionally freelances; he is currently a lead editor at Wirecutter. He also records a weekly book podcast called Overdue. Twitter@AndrewWrites

80 Reader Comments

It's interesting how companies handle incidents like this now. They're generally being more up-front and open with what happened and what they're doing. Apple aren't special in this regard, but it's a good trend and good to see them carry it on.

Since I've not updated my ADC data in about ten years (and many changes in email and physical addresses) it seems like my exposure will be minimal. Probably time to update the password though.

The intruder "attempted to secure" developers' personal information? Sounds like one ass-backwards intruder, usually intruders try to take personal information, securing it is Apple's job.

EDIT: I am aware of the word's definition as a verb, I was trying to highlight the minor fact that whoever wrote the notice chose a word that in the context of security breaches, usually means the exact opposite of how it was used here.

People are free to downvote for whatever reason they like. Granted sarcasm in comments is usually missed, but I am still surprised that Ars readers find no value in a comment regarding the choice of word.

Nice to see Apple being active. Writing "Apple blames days-long Developer Center outage on “intruder”" seems a little rough, "Apple states days long Developer Centre outage a response to an intruder" would probably be a better description.

It's interesting how companies handle incidents like this now. They're generally being more up-front and open with what happened and what they're doing. Apple aren't special in this regard, but it's a good trend and good to see them carry it on.

In part because of the California's Data Breach law -- but also because the court of public opinion seems to be very hard on companies that don't disclose early. That said, we'll see how the mainstream press covers this, as well as how the stock market reacts, tomorrow.

As a developer I would be jumping through two factor auth hoops multiple times per day. It's not worth it on the convenience vs security scale, at least until Apple adjusts things so you don't have to authenticate so often.

Besides, the real security for my dev account is the private key stored encypted in my keychain and never uploaded to Apple's servers.

(note: we have a business account and multiple dev accounts attached to it, it's the personal dev account i need to log into constantly - which has minimal privilleges).

Nice to see Apple being active. Writing "Apple blames days-long Developer Center outage on “intruder”" seems a little rough, "Apple states days long Developer Centre outage a response to an intruder" would probably be a better description.

Ummm...

Quote:

Since Thursday, registered Apple developers trying to download OS X 10.9, iOS 7, or any other Apple software from the company's developer portal have been greeted with a notice that the site was down for "maintenance."

How is Apple being ACTIVE here?!? Waiting for DAYS to announce a breach? That's not active...that's resting on one's laurels. See the story two below this one about how Canonical announced the impacts immediately, not after a few days of "maintenance."

How is Apple being ACTIVE here?!? Waiting for DAYS to announce a breach? That's not active...that's resting on one's laurels. See the story two below this one about how Canonical announced the impacts immediately, not after a few days of "maintenance."

Nice to see Apple being active. Writing "Apple blames days-long Developer Center outage on “intruder”" seems a little rough, "Apple states days long Developer Centre outage a response to an intruder" would probably be a better description.

Ummm...

Quote:

Since Thursday, registered Apple developers trying to download OS X 10.9, iOS 7, or any other Apple software from the company's developer portal have been greeted with a notice that the site was down for "maintenance."

How is Apple being ACTIVE here?!? Waiting for DAYS to announce a breach? That's not active...that's resting on one's laurels. See the story two below this one about how Canonical announced the impacts immediately, not after a few days of "maintenance."

They were / are being active by quickly denying the intruder access and by throughly fixing the problem?? Yes, it would have been nice if they had told everyone WHY access has been down, but this is Apple here. For better or worse they don't communicate things like other companies do. That doesn't mean they are resting on their laurels.

I thought it was standard practice to try to track down the intruder and or lay bait to attract them before you scare them away by announcing the attack to the public? Anyway I am very glad they took the portal down immediately and have announced to the public what is going on in a reasonable timeframe. I'm sure they are working around the clock to resolve the issue. A bit annoying through we are preparing to upload our binary soon and will be out of action till this gets fixed.

Considering what Apple have invested into security, I think they have. Secrecy involves their new iProduct, not their software in what's generally available to the public. Granted, they don't seem to have the security investment that Microsoft has in Windows, but they're not really that lacking.

Maybe they forgot to take the keys away from Forstall when he was shown the door. That "We'll be back soon" message over linen has the last revenge of skeuomorphism written all over it. To paraphrase Gen. Patton... Scott, you magnificent bastard!

Correct me if I'm wrong, but have the various articles on here in the last few months not clearly shown that admitting you've been breached and advising your users about it 4 days later, is hardly responsible given that hashes (if they were acquired anyways, who knows) can be cracked in minutes or hours, not days.

Correct me if I'm wrong, but have the various articles on here in the last few months not clearly shown that admitting you've been breached and advising your users about it 4 days later, is hardly responsible given that hashes (if they were acquired anyways, who knows) can be cracked in minutes or hours, not days.

It depends on the hashing function. MD5 is about as secure as a prostitutes panties on rent day. SHA1 is similar. There are some significantly better hashing functions (bcrypt for instance) that is slower, and thus less vulnerable to cracking attempts. There are also best practices as well like salt and other techniques that can make even good hashing functions better.

Correct me if I'm wrong, but have the various articles on here in the last few months not clearly shown that admitting you've been breached and advising your users about it 4 days later, is hardly responsible given that hashes (if they were acquired anyways, who knows) can be cracked in minutes or hours, not days.

Seeing as the developer account is tied to an Apple ID, I seriously doubt there would be any password hashes stored alongside developer account info in that database. Auth would be passed over to a different system.

Correct me if I'm wrong, but have the various articles on here in the last few months not clearly shown that admitting you've been breached and advising your users about it 4 days later, is hardly responsible given that hashes (if they were acquired anyways, who knows) can be cracked in minutes or hours, not days.

It depends on the hashing function. MD5 is about as secure as a prostitutes panties on rent day. SHA1 is similar. There are some significantly better hashing functions (bcrypt for instance) that is slower, and thus less vulnerable to cracking attempts. There are also best practices as well like salt and other techniques that can make even good hashing functions better.

Of course, but given that we don't know which function(s) were used, we can't assume that it will take them any given length of time.

Seeing as the developer account is tied to an Apple ID, I seriously doubt there would be any password hashes stored alongside developer account info in that database. Auth would be passed over to a different system.

Yeah that is true I suppose. Perhaps one is being too paranoid about this...

It certainly looks like some email addresses have leaked: I was seeing password reset attempts on one of my accounts on Sunday. Fortunately it was the one I use for in-app purchase testing, which has minimal details present.

I was sent a phishing email on the 20th. Now I know why.Guess that means my email was compromised during the attack.

Quote:

Dear Customer,

This is an automatic message by the system to let you know that you have to confirm your account information within 24 hours.

We have updated Section 8 of our Privacy Policy to provide you with more information on how protect your account and You must activate your account in order to be able to use the policy of new security and privacy.We apologise for any inconvenience.

How is Apple being ACTIVE here?!? Waiting for DAYS to announce a breach? That's not active...that's resting on one's laurels. See the story two below this one about how Canonical announced the impacts immediately, not after a few days of "maintenance."

Only 14 comments so far? If this had happened to Microsoft there'd be a shitstorm of wrath going on here.

Apple lying isn't actually news.

Just last week there was a story of Microsoft ignoring a 2 months of information that is now being used for targeted attacks which Microsoft (as of last week) hasn't gone into detail about. And it wasn't on my radar, no shitstorm from me.http://gizmodo.com/microsoft-admit-to-h ... -728475564

I am sick of this Apple vs Microsoft vs Google shit. This is why we can't enjoy our nice things.

If this had happened to Microsoft there'd be a shitstorm of wrath going on here.If this had happened to Google there'd be a shitstorm of wrath going on here.If this had happened to Apple there'd be a shitstorm of wrath going on here.Microsoft lying isn't actually newsGoogle lying isn't actually newsApple lying isn't actually news

See how these are the same comments I read on every Apple, Microsoft, Google story? What does that tell us?!

Only 14 comments so far? If this had happened to Microsoft there'd be a shitstorm of wrath going on here.

Apple lying isn't actually news.

Just last week there was a story of Microsoft ignoring a 2 months of information that is now being used for targeted attacks which Microsoft (as of last week) hasn't gone into detail about. And it wasn't on my radar, no shitstorm from me.http://gizmodo.com/microsoft-admit-to-h ... -728475564

I am sick of this Apple vs Microsoft vs Google shit. This is why we can't enjoy our nice things.

If this had happened to Microsoft there'd be a shitstorm of wrath going on here.If this had happened to Google there'd be a shitstorm of wrath going on here.If this had happened to Apple there'd be a shitstorm of wrath going on here.Microsoft lying isn't actually newsGoogle lying isn't actually newsApple lying isn't actually news

See how these are the same comments I read on every Apple, Microsoft, Google story? What does that tell us?!

Thank you for completing my thought. Although to be fair, your linked story isn't so much "Microsoft lies to public" as "Microsoft says and does nothing," which are distinct acts. But I'm sure Microsoft actually lying is just a google away.

Nice to see Apple being active. Writing "Apple blames days-long Developer Center outage on “intruder”" seems a little rough, "Apple states days long Developer Centre outage a response to an intruder" would probably be a better description.